1. Home
  2. Data Components
  3. Service Creation

Service Creation

The registration of a new service or daemon on an operating system.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4697 - Captures the creation of a new Windows service.
    • Event ID 7045 - Captures services installed by administrators or adversaries.
    • Event ID 7034 - Could indicate malicious service modification or exploitation.
  • Sysmon Logs
    • Sysmon Event ID 1 - Process Creation (captures service executables).
    • Sysmon Event ID 4 - Service state changes (detects service installation).
    • Sysmon Event ID 13 - Registry modifications (captures service persistence changes).
  • PowerShell Logging
    • Monitor New-Service and Set-Service PowerShell cmdlets in Event ID 4104 (Script Block Logging).
  • Linux/macOS Collection Methods
    • AuditD & Syslog Daemon Logs (/var/log/syslog, /var/log/messages, /var/log/daemon.log)
    • AuditD Rules:
      • auditctl -w /etc/systemd/system -p wa -k service_creation
      • Detects changes to systemd service configurations.
  • Systemd Journals (journalctl -u <service_name>)
    • Captures newly created systemd services.
  • LaunchDaemons & LaunchAgents (macOS)
    • Monitor /Library/LaunchDaemons/ and /Library/LaunchAgents/ for new plist files.
ID: DC0060
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:CONFIG_CHANGE creation or modification of systemd services
containerLogs:systemd_unit_files unit file referencing container binary with persistent flags
kubernetes:audit create
linux:osquery newly registered unit file with ExecStart pointing to unknown binary
linux:syslog systemctl start/enable with uncommon binary paths
macos:osquery Process Events and Launch Daemons
macos:osquery launch_daemons
macos:osquery detection of new launch agents with suspicious paths or unsigned binaries
macos:unifiedlog creation or loading of new launchd services
macos:unifiedlog launchd loading new LaunchDaemon or changes to existing daemon configuration
Service None
WinEventLog:Security EventCode=7045
WinEventLog:Security EventCode=4697
WinEventLog:System EventCode=7036
WinEventLog:System EventCode=7045
WinEventLog:System EventCode=7031, 7034

Detection Strategy

ID Name Technique Detected
DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) T1219
DET0021 Behavioral Detection for Service Stop across Platforms T1489
DET0089 Behavioral Detection of Keylogging Activity Across Platforms T1056.001
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence T1197
DET0462 Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows T1557.001
DET0473 Detect persistent or elevated container services via container runtime or cluster manipulation T1543.005
DET0588 Detection fo Remote Service Session Hijacking for RDP. T1563.002
DET0311 Detection for Spoofing Security Alerting across OS Platforms T1562.011
DET0764 Detection of Adversary-in-the-Middle T0830
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. T1562.001
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0434 Detection of Launch Agent Creation or Modification on macOS T1543.001
DET0117 Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution T1036.004
DET0725 Detection of Masquerading T0849
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0552 Detection of Windows Service Creation or Modification T1543.003
DET0304 Detection Strategy for Endpoint DoS via Application or System Exploitation T1499.004
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. T1574.010
DET0317 Detection Strategy for Impair Defenses Across Platforms T1562
DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS) T1543.004
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0279 Detection Strategy for System Services across OS platforms. T1569
DET0421 Detection Strategy for System Services Service Execution T1569.002
DET0265 Detection Strategy for System Services: Launchctl T1569.001
DET0073 Detection Strategy for System Services: Systemctl T1569.003
DET0075 Internal Proxy Behavior via Lateral Host-to-Host C2 Relay T1090.001
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002